Loading...
Updated on 3rd of June: amended information according to Atlassian’s official advisory update.
On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability. The vulnerability is as CVE-2022-26134 and likely impacts all versions of Confluence Server and Data Center, but Atlassian has not yet confirmed the earliest affected version.
No patch is available yet but Cloudflare customers using either WAF or Access are already protected. Atlassian also recommends implementing a WAF rule that blocks URLs containing ${ as it may reduce risk of being compromised.
Our own Confluence nodes are protected by both WAF and Access, and at the time of writing, we have found no evidence that our Confluence instance was exploited.
Cloudflare reviewed the security advisory, conducted our own analysis, and prepared a WAF mitigation rule via an emergency release. The rule, once tested, was deployed on June 2, 2022, at 23:38 UTC with a default action of BLOCK and the following IDs:
- 100531 (for our legacy WAF)
- 408cff2b (for our new WAF)
All websites, including free customers using the Cloudflare WAF to protect their self-hosted Confluence applications have automatically been protected since the new rule was deployed.
Customers who have deployed Cloudflare Access in front of their Confluence applications were protected from external exploitation attempts even before the emergency release. Access verifies every request made to a Confluence application to ensure it is coming from an authenticated user. Any unauthenticated users attempting this exploit would have been blocked by Cloudflare before they could reach the Confluence server.
Customers not yet using zero trust rules to protect access to their applications can follow these instructions to enable Access now in a few minutes.
Timeline of Events
| 2022-06-02 at 20:00 UTC | Atlassian publishes security advisory |
|---|---|
| 2022-06-02 at 23:38 UTC | Cloudflare publishes WAF rule to target CVE 2022-26134 |
When will a patch be available?
Atlassian estimates that security fixes for supported versions of Confluence will be available for download by end of day on June 3 PDT. As noted above though, Cloudflare customers protecting their Confluence applications with Cloudflare WAF and Access are already protected. We will update this post as soon as new information is available, and we also recommend following the Atlassian security advisory.